Back to skill

Security audit

Kunwu Builder

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Kunwu Builder control skill, but it needs Review because it can send unauthenticated commands to hard-coded non-local hosts and includes scripts that can reset or delete simulation state without safeguards.

Install only if you intend to control a Kunwu Builder test or lab environment and you understand which host it will contact. Before running any CLI or test script, set and verify KUNWU_API_URL, avoid using it against shared or production scenes, and review scripts that call reset, destroy, delete, export, behavior changes, or cloud model loading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (43)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The quickstart inconsistently refers to both 'Kunwu Builder' and 'SpeedBot Builder', which creates ambiguity about the actual target application and trust boundary. In an agent skill that can control local simulation software and issue scene-changing commands, this confusion can cause operators or downstream tooling to connect to or act on the wrong software environment.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file list says the available scripts are 'kunwu-tool.js' and 'test-connection-kunwu.js', but the examples instruct users to run 'speedbot-tool.js' and 'test-connection.js'. This mismatch is dangerous because users may execute the wrong helper, copy commands from another skill, or build ad hoc replacements, increasing the chance of unintended local actions against the exposed control API.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation gives conflicting guidance about whether gripper axis should be inferred from relative transform positions or from the largest bounding-box axis. In a skill that configures physical motion behavior, contradictory setup rules can cause users or agents to assign the wrong movement axis, leading to incorrect actuation, failed gripping, or collisions.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The example's referenceAxis values conflict with the enum table and nearby comments, so an implementer may send the wrong axis code to /behavior/add. In this context, wrong numeric axis mappings can directly misconfigure robot or gripper motion, causing unintended movement directions or synchronized parts moving incorrectly.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The code advertises rollback on failure, but `_rollback()` only clears local arrays and does not delete or revert any remotely created models, parent-child links, or behaviors. In this skill's context, the methods perform state-changing operations against an external modeling/control system, so partial failure can leave orphaned or inconsistent remote assets that may disrupt later tasks, consume resources, or create unsafe automation state.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The script randomly selects a subset of tests, but the available test set includes destructive and state-changing operations such as model download/creation, object destruction, scene reset, and mode changes. This makes the randomized runner unsafe for shared or production-like environments because harmful actions can execute without operator awareness on any given round.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The script explicitly operates on the current scene without resetting it, then creates, modifies, and assembles models by fixed names. In a shared or production-like environment, this can unintentionally alter existing state, collide with prior objects, and produce cumulative side effects that are hard to detect or roll back.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file is presented as a read-only verification script ('check gripper download results'), but it also performs state-changing calls to '/behavior/add' that modify a remote model's behavior. This mismatch can mislead operators or reviewers into running code that changes remote system state unexpectedly, which is dangerous in automation or production environments.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The header comment describes loading grippers from a local model library, but the script actually connects to a hard-coded remote HTTP endpoint and performs state-changing operations including download, destroy, and behavior modification. This mismatch can mislead operators about trust boundaries and side effects, increasing the chance they run a script that alters remote assets without realizing it.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The cleanup routine is labeled as removing prior test models, but it matches any model whose name contains very broad substrings like '底座', '机器人', or '托盘'. In a shared or persistent environment, this can delete unrelated production assets simply because their names contain those common terms, making the behavior far more destructive than the function name and comments imply.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The document says users can 'now control the software through natural language' without defining allowed operations, confirmation requirements, or excluded destructive actions. For an agent skill interfacing with a local control API, overly broad trigger phrasing can lead to unsafe interpretation of casual prompts as commands that modify scenes, move equipment, or export data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples include state-changing and file-writing actions such as resetting scenes, creating models, moving robots, changing colors, and exporting to a local desktop path, but the document does not warn that these operations alter data or write to disk. In this context, that omission increases the risk of accidental data loss, unsafe equipment simulation changes, or unintended local file output triggered by natural-language requests.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README exposes a scene reset operation as a simple command but provides no warning that it may clear current work, undo state, or otherwise destroy unsaved simulation changes. In an agent-driven context, a natural-language request like 'reset the scene' could be executed immediately, increasing the chance of accidental destructive actions.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The natural-language example encourages exporting a robot model to the desktop without documenting that this causes a local file write or where files are created. In an agent environment, undocumented filesystem side effects can lead to unintended data placement, overwrites, or exfiltration-adjacent behavior if exports are triggered automatically.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to use `checkFromCloud:true`, which causes automatic retrieval of models from a remote source, but it provides no warning, approval step, or trust guidance for externally fetched content. In an industrial simulation/control context, silent network access and remote content ingestion increase supply-chain and data-handling risk, especially because the API is unauthenticated and aimed at an internal IP.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation exposes destructive operations such as `/model/destroy` and `/model/library/delete` without any cautionary language, confirmation requirement, or recovery guidance. In this skill's context, these actions can remove scene assets or local model library content and may disrupt ongoing industrial simulation work or cause loss of setup state.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill lists high-impact endpoints including `/ResetScene` and mode-changing operations with no warning about clearing current work, interrupting sessions, or affecting active scenarios. Because this skill controls an industrial simulation environment over HTTP on a private network, presenting reset functionality without safeguards materially increases the chance of accidental or unauthorized disruptive actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tool defaults to sending all API commands over plain HTTP to a non-local hardcoded IP address (100.85.119.45:16888) without clear disclosure or trust verification. In this skill context, the API can manipulate industrial simulation assets, export models, load/save projects, and query scene data, so an unsuspecting user could leak sensitive project data or issue remote control actions to an external host, and the lack of TLS makes interception and tampering possible.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This test corpus includes clearly destructive operations like /model/destroy, /ResetScene, /ChangeMode, and /model/download with createInScene enabled, yet the script performs them automatically with no warning or confirmation. Running this against a real remote system can alter or destroy state, disrupt operations, and trigger unintended downloads or scene modifications.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script sends JSON payloads to a hard-coded remote host over plain HTTP without any upfront disclosure, environment validation, or transport protection. Even though the payloads are test data, they reveal internal API structure and can mutate a remote system; using unencrypted HTTP also exposes requests and responses to interception on the network path.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends unauthenticated HTTP POST requests to a fixed internal IP address to add and verify behavior settings, causing immediate remote state changes without any confirmation, dry-run mode, or safety prompt. In an agent skill context, this is risky because simply running the file modifies a network-connected system, which can lead to unintended configuration changes or actuator behavior if triggered automatically or by mistake.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script performs destructive deletion of scene models automatically, without prior confirmation, dry-run support, or an explicit safety gate. In an automation or shared environment, this can cause unintended data loss or disruption if model names match the broad test prefix, especially because the script is intended to run directly against a live remote service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script issues authenticated-looking POST requests that create models and add or alter behavior on a reachable host without any interactive confirmation, dry-run mode, or safety gate. Because it targets a private network service and performs state-changing operations automatically, accidental execution can modify remote scene/model state and cause unauthorized or unintended changes in a builder or control environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The cleanup routine deletes any models whose names contain broad substrings like 'Camera', 'Bracket', or 'Dufault' without confirmation, dry-run, or ownership checks. In a shared or production environment, this can destroy unrelated assets and cause data loss or operational disruption simply by running the script.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script posts JSON to a fixed private IP over plain HTTP, so requests and responses are unencrypted and unauthenticated at the transport layer. Any attacker on the same network path could intercept or modify traffic, potentially altering model creation requests, harvesting metadata, or spoofing responses that drive subsequent operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_resource_identifier

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
kunwu-tool.js:11

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/model-loader.js:25

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
test-full.js:5

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
EXPORT-GUIDE.md:77

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
kunwu-tool.js:11

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-all-grippers-final.js:12

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-assemble-with-create.js:10

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-bracket-workaround.js:10

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-camera-bracket-assemble.js:24

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-check-all-tasks.js:9

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-check-grippers.js:9

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-create-gripper.js:9

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-final-assemble.js:9

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-final-report.js:9

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-gripper-download-debug.js:9

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-gripper-result.js:9

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-grippers-behavior.js:17

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-pick-sort-scene.js:10

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-proper-assemble.js:14

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
test-remote-camera.js:9

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
tests-deprecated/test-download-debug.js:9

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
tests-deprecated/test-download-direct.js:9

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
tests-deprecated/test-download-one-gripper.js:9

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
tests-deprecated/test-download-with-path.js:9